| | December 20179CIOReviewPut a Plan in Place Now If You Don't have One Already.This plan should engage three key teams: an incident response team, a crisis communications team--or outside firm--and an outside counsel focused on computer security and cyber law. Your communications plan should encompass how you will engage with employees, customers, investors, clients, business partners, and additional stakeholders. Finally, test your plan regularly and ensure everyone knows their role.Know How to Investigate the Breach.As soon as you know or suspect you've been breached, contact your card service provider, or acquirer. They may instruct you to hire a Payment Card Industry (PCI) Forensic Investigator, or PFI. A PFI is a firm that's been certified through the PCI Security Standards Council to conduct the investigation, determine the root cause, recommend or implement fixes, and report back to the relevant payment card brand organizations. Depending on which payment card brands you accept, this may even be a requirement. Some experts recommend having a PFI on retainer to ensure they are familiar with your company and on standby.Preserve the Evidence.The success of the investigation depends on the quality of the available evidence, and it is important to ensure the integrity of your system components and data environment.Let the Pros Get to Work.A PFI will analyze an image of your card processing environment to see when, where and how the criminals got in, and what malware or malicious software they may have deployed. The PFI will then remove the malware and secure your system. This establishes the at-risk timeframe--the elapsed time between the infiltration of your network and when the malware was contained or eradicated.Check your State and Federal Laws or Regulations.Most states have enacted legislation requiring businesses to notify customers of breaches involving personal information. There may be other laws or regulations that apply to your specific business or industry.Add Up the Costs.Depending on the number of credit and debit cards that are at risk and whether your security measures were up to date and compliant with PCI mandates, you may be subjected to non-compliance fines or a card brand assessment. You may also incur costs associated with notifying impacted customers or clients, as well as potential fees for retaining legal counsel or public relations and reputational management experts.Now let's talk about what your company can do to avoid data breaches:Make Sure You are PCI Compliant Now.A common theme among businesses who suffered a data compromise is that they were not PCI compliant at the time of the data breach. If you process, store or transmit payment card data, you are required to implement and uphold the PCI Data Security Standards (PCI DSS).Understand Compliance is An Ongoing Commitment.Many companies treat PCI compliance as a single moment in time, reaching a point of compliance and calling it a day. Maintaining compliance is an ongoing commitment to keep up with evolving policies, technologies, and processes. Changes you make to your card processing environment, such as adding a new way to accept credit/debit cards, may knock you out of compliance. It is up to you to regularly re-evaluate your compliance.Regularly Check Your General Liability and Cybersecurity Liability Policies.Work with your insurance provider to help ensure you are covered against all assessments in the event of a breach.Deploy Technology to Secure Your Payment Card Data.End-to-end or point-to-point encryption and tokenization, if properly implemented, is an effective way to secure payment card data.The true cost of a data breach is different for every company, but taking precautions and understanding what to do immediately after the discovery of a breach can help you minimize the fallout and get back to running your business. The best way to reduce damage is to act quickly Larry Brennan
<
Page 8 |
Page 10 >